ENTERPRISE MOBILE PRE-ATT&CK
TECHNIQUES
  1. Home
  2. Techniques
  3. Enterprise
  4. Deobfuscate/Decode Files or Information

Deobfuscate/Decode Files or Information

Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware, Scripting, PowerShell, or by using utilities present on the system.

One such example is use of certutil to decode a remote access tool portable executable file that has been hidden inside a certificate file. [1]

Another example is using the Windows copy /b command to reassemble binary fragments into a malicious payload. [2]

Payloads may be compressed, archived, or encrypted in order to avoid detection. These payloads may be used with Obfuscated Files or Information during Initial Access or later to mitigate detection. Sometimes a user's action may be required to open it for deobfuscation or decryption as part of User Execution. The user may also be required to input a password to open a password protected compressed/encrypted file that was provided by the adversary. [3] Adversaries may also used compressed or archived scripts, such as Javascript.

ID: T1140

Tactic: Defense Evasion

Platform:  Windows

Permissions Required:  User

Data Sources:  File monitoring, Process monitoring, Process command-line parameters

Defense Bypassed:  Anti-virus, Host intrusion prevention systems, Signature-based detection, Network intrusion detection system

Contributors:  Matthew Demaske, Adaptforward; Red Canary

Version: 1.0

Examples

NameDescription
APT19

An APT19 HTTP malware variant decrypts strings using single-byte XOR keys.[4]

APT28

An APT28 macro uses the command certutil -decode to decode contents of a .txt file storing the base64 encoded payload.[5][6]

Astaroth

Astaroth uses a fromCharCode() deobfuscation method to avoid explicitly writing execution commands and to hide its code.[7]

AuditCred

AuditCred uses XOR and RC4 to perform decryption on the code functions.[8]

Azorult

Azorult uses an XOR key to decrypt content and uses Base64 to decode the C2 address.[9][10]

Bankshot

Bankshot decodes embedded XOR strings.[11]

BBSRAT

BBSRAT uses Expand to decompress a CAB file into executable content.[12]

Bisonal

Bisonal decodes strings in the malware using XOR and RC4.[13]

BRONZE BUTLER

BRONZE BUTLER downloads encoded payloads and decodes them on the victim.[14]

Carbon

Carbon decrypts task and configuration files for execution.[15]

Cardinal RAT

Cardinal RAT decodes many of its artifacts and is decrypted (AES-128) after being downloaded.[16]

certutil

certutil has been used to decode binaries hidden inside certificate files as Base64 information.[1]

CoinTicker

CoinTicker decodes the initially-downloaded hidden encoded file using OpenSSL.[17]

Darkhotel

Darkhotel has decrypted strings and imports using RC4 during execution.[18]

DDKONG

DDKONG decodes an embedded configuration using XOR.[19]

Denis

Denis will decrypt important strings used for C&C communication.[20]

Dyre

Dyre decrypts resources needed for targeting the victim.[21]

Expand

Expand can be used to decompress a local or remote CAB file into an executable.[22]

Final1stspy

Final1stspy uses Python code to deobfuscate base64-encoded strings.[23]

FinFisher

FinFisher extracts and decrypts stage 3 malware, which is stored in encrypted resources.[24][25]

Gorgon Group

Gorgon Group malware can decode contents from a payload that was Base64 encoded and write the contents to a file.[26]

Honeybee

Honeybee drops a Word file containing a Base64-encoded file in it that is read, decoded, and dropped to the disk by the macro.[27]

InvisiMole

InvisiMole can decrypt, unpack and load a DLL from its resources.[28]

ISMInjector

ISMInjector uses the certutil command to decode a payload file.[29]

Kwampirs

Kwampirs decrypts and extracts a copy of its main DLL payload when executing.[30]

Leviathan

Leviathan has used a DLL known as SeDll to decrypt and execute other JavaScript backdoors.[31]

menuPass

menuPass has used certutil in a macro to decode base64-encoded content contained in a dropper document attached to an email. The group has used certutil -decode to decode files on the victim’s machine when dropping UPPERCUT.[32][33]

MirageFox

MirageFox has a function for decrypting data containing C2 configuration information.[34]

MuddyWater

MuddyWater decoded base64-encoded PowerShell commands using a VBS file.[35][36][37]

NOKKI

NOKKI uses a unique, custom de-obfuscation technique.[38]

OilRig

A OilRig macro has run a PowerShell command to decode file contents. OilRig has also used certutil to decode base64-encoded files on victims.[39][29][40]

OopsIE

OopsIE concatenates then decompresses multiple resources to load an embedded .Net Framework assembly.[40]

PlugX

PlugX decompresses and decrypts itself using the Microsoft API call RtlDecompressBuffer.[41]

POWERSTATS

POWERSTATS can deobfuscate the main backdoor code.[37]

Proton

Proton uses an encrypted file to store commands and configuration values.[42]

QUADAGENT

QUADAGENT uses AES and a preshared key to decrypt the custom Base64 routine used to encode strings and scripts.[43]

Remexi

Remexi decrypts the configuration data using XOR with 25-character keys.[44]

RGDoor

RGDoor decodes Base64 strings and decrypts strings using a custom XOR algorithm.[45]

RogueRobin

RogueRobin decodes an embedded executable using base64 and decompresses it.[46]

Smoke Loader

Smoke Loader deobfuscates its code.[47]

Starloader

Starloader decrypts and executes shellcode from a file called Stars.jps.[48]

Threat Group-3390

During execution, Threat Group-3390 malware deobfuscates and decompresses code that was encoded with Metasploit’s shikata_ga_nai encoder as well as compressed with LZNT1 compression.[49]

TrickBot

TrickBot decodes the configuration data and modules.[50]

Tropic Trooper

Tropic Trooper used shellcode with an XOR algorithm to decrypt a payload.[51]

TYPEFRAME

One TYPEFRAME variant decrypts an archive using an RC4 key, then decompresses and installs the decrypted malicious DLL module. Another variant decodes the embedded file by XORing it with the value "0x35".[52]

VERMIN

VERMIN decrypts code, strings, and commands to use once it's on the victim's machine.[53]

Volgmer

Volgmer deobfuscates its strings and APIs once its executed.[54]

Zebrocy

Zebrocy decodes its secondary payload and writes it to the victim’s machine.Zebrocy uses AES and XOR to decrypt strings and payloads.[55][56]

ZeroT

ZeroT shellcode decrypts and decompresses its RC4-encrypted payload.[57]

Zeus Panda

Zeus Panda decrypts strings in the code during the execution process.[58]

Mitigation

Identify unnecessary system utilities or potentially malicious software that may be used to deobfuscate or decode files or information, and audit and/or block them by using whitelisting [59] tools, like AppLocker, [60] [61] or Software Restriction Policies [62] where appropriate. [63]

Detection

Detecting the action of deobfuscating or decoding files or information may be difficult depending on the implementation. If the functionality is contained within malware and uses the Windows API, then attempting to detect malicious behavior before or after the action may yield better results than attempting to perform analysis on loaded libraries or API calls. If scripts are used, then collecting the scripts for analysis may be necessary. Perform process and command-line monitoring to detect potentially malicious behavior related to scripts and system utilities such as certutil.

Monitor the execution file paths and command-line arguments for common archive file applications and extensions, such as those for Zip and RAR archive tools, and correlate with other suspicious behavior to reduce false positives from normal user and administrator behavior.

References

  1. Malwarebytes Labs. (2017, March 27). New targeted attack against Saudi Arabia Government. Retrieved July 3, 2017.
  2. Tedesco, B. (2016, September 23). Security Alert Summary. Retrieved February 12, 2018.
  3. Adair, S.. (2016, November 9). PowerDuke: Widespread Post-Election Spear Phishing Campaigns Targeting Think Tanks and NGOs. Retrieved January 11, 2017.
  4. Grunzweig, J., Lee, B. (2016, January 22). New Attacks Linked to C0d0so0 Group. Retrieved August 2, 2018.
  5. Lee, B, et al. (2018, February 28). Sofacy Attacks Multiple Government Entities. Retrieved March 15, 2018.
  6. Lee, B., Falcone, R. (2018, June 06). Sofacy Group’s Parallel Attacks. Retrieved June 18, 2018.
  7. Salem, E. (2019, February 13). ASTAROTH MALWARE USES LEGITIMATE OS AND ANTIVIRUS PROCESSES TO STEAL PASSWORDS AND PERSONAL DATA. Retrieved April 17, 2019.
  8. Trend Micro. (2018, November 20). Lazarus Continues Heists, Mounts Attacks on Financial Organizations in Latin America. Retrieved December 3, 2018.
  9. Yan, T., et al. (2018, November 21). New Wine in Old Bottle: New Azorult Variant Found in FindMyName Campaign using Fallout Exploit Kit. Retrieved November 29, 2018.
  10. Proofpoint. (2018, July 30). New version of AZORult stealer improves loading features, spreads alongside ransomware in new campaign. Retrieved November 29, 2018.
  11. US-CERT. (2017, December 13). Malware Analysis Report (MAR) - 10135536-B. Retrieved July 17, 2018.
  12. Lee, B. Grunzweig, J. (2015, December 22). BBSRAT Attacks Targeting Russian Organizations Linked to Roaming Tiger. Retrieved August 19, 2016.
  13. Hayashi, K., Ray, V. (2018, July 31). Bisonal Malware Used in Attacks Against Russia and South Korea. Retrieved August 7, 2018.
  14. Counter Threat Unit Research Team. (2017, October 12). BRONZE BUTLER Targets Japanese Enterprises. Retrieved January 4, 2018.
  15. ESET. (2017, March 30). Carbon Paper: Peering into Turla’s second stage backdoor. Retrieved November 7, 2018.
  16. Grunzweig, J.. (2017, April 20). Cardinal RAT Active for Over Two Years. Retrieved December 8, 2018.
  17. Thomas Reed. (2018, October 29). Mac cryptocurrency ticker app installs backdoors. Retrieved April 23, 2019.
  18. Kaspersky Lab's Global Research & Analysis Team. (2015, August 10). Darkhotel's attacks in 2015. Retrieved November 2, 2018.
  19. Ash, B., et al. (2018, June 26). RANCOR: Targeted Attacks in South East Asia Using PLAINTEE and DDKONG Malware Families. Retrieved July 2, 2018.
  20. Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018.
  21. Symantec Security Response. (2015, June 23). Dyre: Emerging threat on financial fraud landscape. Retrieved August 23, 2018.
  22. Microsoft. (2017, October 15). Expand. Retrieved February 19, 2019.
  23. Grunzweig, J. (2018, October 01). NOKKI Almost Ties the Knot with DOGCALL: Reaper Group Uses New Malware to Deploy RAT. Retrieved November 5, 2018.
  24. FinFisher. (n.d.). Retrieved December 20, 2017.
  25. Allievi, A.,Flori, E. (2018, March 01). FinFisher exposed: A researcher’s tale of defeating traps, tricks, and complex virtual machines. Retrieved July 9, 2018.
  26. Falcone, R., et al. (2018, August 02). The Gorgon Group: Slithering Between Nation State and Cybercrime. Retrieved August 7, 2018.
  27. Sherstobitoff, R. (2018, March 02). McAfee Uncovers Operation Honeybee, a Malicious Document Campaign Targeting Humanitarian Aid Groups. Retrieved May 16, 2018.
  28. Hromcová, Z. (2018, June 07). InvisiMole: Surprisingly equipped spyware, undercover since 2013. Retrieved July 10, 2018.
  29. Falcone, R. and Lee, B. (2017, October 9). OilRig Group Steps Up Attacks with New Delivery Documents and New Injector Trojan. Retrieved January 8, 2018.
  30. Symantec Security Response Attack Investigation Team. (2018, April 23). New Orangeworm attack group targets the healthcare sector in the U.S., Europe, and Asia. Retrieved May 8, 2018.
  31. Axel F, Pierre T. (2017, October 16). Leviathan: Espionage actor spearphishes maritime and defense targets. Retrieved February 15, 2018.
  32. Accenture Security. (2018, April 23). Hogfish Redleaves Campaign. Retrieved July 2, 2018.
  1. Matsuda, A., Muhammad I. (2018, September 13). APT10 Targeting Japanese Corporations Using Updated TTPs. Retrieved September 17, 2018.
  2. Rosenberg, J. (2018, June 14). MirageFox: APT15 Resurfaces With New Tools Based On Old Ones. Retrieved September 21, 2018.
  3. Singh, S. et al.. (2018, March 13). Iranian Threat Group Updates Tactics, Techniques and Procedures in Spear Phishing Campaign. Retrieved April 11, 2018.
  4. Villanueva, M., Co, M. (2018, June 14). Another Potential MuddyWater Campaign uses Powershell-based PRB-Backdoor. Retrieved July 3, 2018.
  5. ClearSky Cyber Security. (2018, November). MuddyWater Operations in Lebanon and Oman: Using an Israeli compromised domain for a two-stage campaign. Retrieved November 29, 2018.
  6. Grunzweig, J., Lee, B. (2018, September 27). New KONNI Malware attacking Eurasia and Southeast Asia. Retrieved November 5, 2018.
  7. Sardiwal, M, et al. (2017, December 7). New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017-11882 Exploit. Retrieved December 20, 2017.
  8. Lee, B., Falcone, R. (2018, February 23). OopsIE! OilRig Uses ThreeDollars to Deliver New Trojan. Retrieved July 16, 2018.
  9. Computer Incident Response Center Luxembourg. (2013, March 29). Analysis of a PlugX variant. Retrieved November 5, 2018.
  10. Patrick Wardle. (n.d.). Mac Malware of 2017. Retrieved September 21, 2018.
  11. Lee, B., Falcone, R. (2018, July 25). OilRig Targets Technology Service Provider and Government Agency with QUADAGENT. Retrieved August 9, 2018.
  12. Legezo, D. (2019, January 30). Chafer used Remexi malware to spy on Iran-based foreign diplomatic entities. Retrieved April 17, 2019.
  13. Falcone, R. (2018, January 25). OilRig uses RGDoor IIS Backdoor on Targets in the Middle East. Retrieved July 6, 2018.
  14. Lee, B., Falcone, R. (2019, January 18). DarkHydrus delivers new Trojan that can use Google Drive for C2 communications. Retrieved April 17, 2019.
  15. Baker, B., Unterbrink H. (2018, July 03). Smoking Guns - Smoke Loader learned new tricks. Retrieved July 5, 2018.
  16. Symantec Security Response. (2017, November 7). Sowbug: Cyber espionage group targets South American and Southeast Asian governments. Retrieved November 16, 2017.
  17. Legezo, D. (2018, June 13). LuckyMouse hits national data center to organize country-level waterholing campaign. Retrieved August 18, 2018.
  18. Reaves, J. (2016, October 15). TrickBot: We Missed you, Dyre. Retrieved August 2, 2018.
  19. Ray, V. (2016, November 22). Tropic Trooper Targets Taiwanese Government and Fossil Fuel Provider With Poison Ivy. Retrieved November 9, 2018.
  20. US-CERT. (2018, June 14). MAR-10135536-12 – North Korean Trojan: TYPEFRAME. Retrieved July 13, 2018.
  21. Lancaster, T., Cortes, J. (2018, January 29). VERMIN: Quasar RAT and Custom Malware Used In Ukraine. Retrieved July 5, 2018.
  22. US-CERT. (2017, November 01). Malware Analysis Report (MAR) - 10135536-D. Retrieved July 16, 2018.
  23. Falcone, R., Lee, B. (2018, November 20). Sofacy Continues Global Attacks and Wheels Out New ‘Cannon’ Trojan. Retrieved November 26, 2018.
  24. ESET. (2018, November 20). Sednit: What’s going on with Zebrocy?. Retrieved February 12, 2019.
  25. Huss, D., et al. (2017, February 2). Oops, they did it again: APT Targets Russia and Belarus with ZeroT and PlugX. Retrieved April 5, 2018.
  26. Brumaghin, E., et al. (2017, November 02). Poisoning the Well: Banking Trojan Targets Google Search Results. Retrieved November 5, 2018.
  27. Beechey, J. (2010, December). Application Whitelisting: Panacea or Propaganda?. Retrieved November 18, 2014.
  28. Tomonaga, S. (2016, January 26). Windows Commands Abused by Attackers. Retrieved February 2, 2016.
  29. NSA Information Assurance Directorate. (2014, August). Application Whitelisting Using Microsoft AppLocker. Retrieved March 31, 2016.
  30. Corio, C., & Sayana, D. P. (2008, June). Application Lockdown with Software Restriction Policies. Retrieved November 18, 2014.
  31. Microsoft. (2012, June 27). Using Software Restriction Policies and AppLocker Policies. Retrieved April 7, 2016.